diff --git a/common.go b/common.go
index f66c19d..31fc712 100644
--- a/common.go
+++ b/common.go
@@ -5,8 +5,6 @@ import (
 )
 
 const (
-	magic uint32 = 0xfeedfeed
-
 	version01 uint32 = 1
 	version02 uint32 = 2
 
@@ -14,6 +12,8 @@ const (
 	trustedCertificateTag uint32 = 2
 )
 
+var jksMagicBytes = []byte{0xfe, 0xed, 0xfe, 0xed}
+
 var byteOrder = binary.BigEndian
 
 var whitenerMessage = []byte("Mighty Aphrodite")
diff --git a/go.mod b/go.mod
index 500eac7..8ca77d0 100644
--- a/go.mod
+++ b/go.mod
@@ -1,3 +1,10 @@
 module github.com/pavlo-v-chernykh/keystore-go/v4
 
 go 1.17
+
+require (
+	github.com/corbym/gocrest v1.0.6
+	software.sslmate.com/src/go-pkcs12 v0.5.0
+)
+
+require golang.org/x/crypto v0.11.0 // indirect
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..f9e74b0
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,43 @@
+github.com/corbym/gocrest v1.0.6 h1:o1BKLyGFvKndpJUUkGpF5DXzzKSbPTnNvGXfIAgV9x0=
+github.com/corbym/gocrest v1.0.6/go.mod h1:lF3xBPnOU5DYDpa/vUq63SMxUhd5UAwGgmA8Z2pJ/Tk=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
+golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+software.sslmate.com/src/go-pkcs12 v0.5.0 h1:EC6R394xgENTpZ4RltKydeDUjtlM5drOYIG9c6TVj2M=
+software.sslmate.com/src/go-pkcs12 v0.5.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
diff --git a/keystore.go b/keystore.go
index 2c3f222..0b06d30 100644
--- a/keystore.go
+++ b/keystore.go
@@ -1,7 +1,6 @@
 package keystore
 
 import (
-	"bytes"
 	"crypto/rand"
 	"crypto/sha1"
 	"errors"
@@ -109,7 +108,7 @@ func (ks KeyStore) Store(w io.Writer, password []byte) error {
 		return fmt.Errorf("update digest with whitener message: %w", err)
 	}
 
-	if err := e.writeUint32(magic); err != nil {
+	if err := e.writeBytes(jksMagicBytes); err != nil {
 		return fmt.Errorf("write magic: %w", err)
 	}
 	// always write latest version
@@ -143,67 +142,6 @@ func (ks KeyStore) Store(w io.Writer, password []byte) error {
 	return nil
 }
 
-// Load reads keystore representation from r and checks its signature.
-// It is strongly recommended to fill password slice with zero after usage.
-func (ks KeyStore) Load(r io.Reader, password []byte) error {
-	d := decoder{
-		r: r,
-		h: sha1.New(),
-	}
-
-	passwordBytes := passwordBytes(password)
-	defer zeroing(passwordBytes)
-
-	if _, err := d.h.Write(passwordBytes); err != nil {
-		return fmt.Errorf("update digest with password: %w", err)
-	}
-
-	if _, err := d.h.Write(whitenerMessage); err != nil {
-		return fmt.Errorf("update digest with whitener message: %w", err)
-	}
-
-	readMagic, err := d.readUint32()
-	if err != nil {
-		return fmt.Errorf("read magic: %w", err)
-	}
-
-	if readMagic != magic {
-		return errors.New("got invalid magic")
-	}
-
-	version, err := d.readUint32()
-	if err != nil {
-		return fmt.Errorf("read version: %w", err)
-	}
-
-	entryNum, err := d.readUint32()
-	if err != nil {
-		return fmt.Errorf("read number of entries: %w", err)
-	}
-
-	for i := uint32(0); i < entryNum; i++ {
-		alias, entry, err := d.readEntry(version)
-		if err != nil {
-			return fmt.Errorf("read %d entry: %w", i, err)
-		}
-
-		ks.m[alias] = entry
-	}
-
-	computedDigest := d.h.Sum(nil)
-
-	actualDigest, err := d.readBytes(uint32(d.h.Size()))
-	if err != nil {
-		return fmt.Errorf("read digest: %w", err)
-	}
-
-	if !bytes.Equal(actualDigest, computedDigest) {
-		return errors.New("got invalid digest")
-	}
-
-	return nil
-}
-
 // SetPrivateKeyEntry adds PrivateKeyEntry into keystore by alias encrypted with password.
 // It is strongly recommended to fill password slice with zero after usage.
 func (ks KeyStore) SetPrivateKeyEntry(alias string, entry PrivateKeyEntry, password []byte) error {
diff --git a/keystore_load.go b/keystore_load.go
new file mode 100644
index 0000000..c265c0e
--- /dev/null
+++ b/keystore_load.go
@@ -0,0 +1,125 @@
+package keystore
+
+import (
+	"bytes"
+	"crypto/sha1"
+	"errors"
+	"fmt"
+	"io"
+	"software.sslmate.com/src/go-pkcs12"
+)
+
+// Load reads keystore representation from r and checks its signature.
+// It is strongly recommended to fill password slice with zero after usage.
+func (ks KeyStore) Load(r io.Reader, password []byte) error {
+	d := decoder{
+		r: r,
+		h: sha1.New(),
+	}
+	fourBytes, err := d.readBytes(4)
+	if err != nil {
+		return fmt.Errorf("read magic: %w", err)
+	}
+
+	magicBytesReader := bytes.NewReader(fourBytes)
+	fullReader := io.MultiReader(magicBytesReader, r)
+
+	if bytes.Equal(fourBytes, jksMagicBytes) {
+		return ks.loadJks(fullReader, password)
+	} else {
+		return ks.loadPkcs12(fullReader, password)
+	}
+}
+
+// loads the old JKS format
+func (ks KeyStore) loadJks(r io.Reader, password []byte) error {
+	d := decoder{
+		r: r,
+		h: sha1.New(),
+	}
+
+	passwordBytes := passwordBytes(password)
+	defer zeroing(passwordBytes)
+
+	if _, err := d.h.Write(passwordBytes); err != nil {
+		return fmt.Errorf("update digest with password: %w", err)
+	}
+
+	if _, err := d.h.Write(whitenerMessage); err != nil {
+		return fmt.Errorf("update digest with whitener message: %w", err)
+	}
+
+	fourBytes, err := d.readBytes(4)
+	if err != nil {
+		return fmt.Errorf("read magic: %w", err)
+	}
+
+	if !bytes.Equal(fourBytes, jksMagicBytes) {
+		return errors.New("got invalid magic bytes from the file, this is no JKS format")
+	}
+
+	version, err := d.readUint32()
+	if err != nil {
+		return fmt.Errorf("read version: %w", err)
+	}
+
+	entryNum, err := d.readUint32()
+	if err != nil {
+		return fmt.Errorf("read number of entries: %w", err)
+	}
+
+	for i := uint32(0); i < entryNum; i++ {
+		alias, entry, err := d.readEntry(version)
+		if err != nil {
+			return fmt.Errorf("read %d entry: %w", i, err)
+		}
+
+		ks.m[alias] = entry
+	}
+
+	computedDigest := d.h.Sum(nil)
+
+	actualDigest, err := d.readBytes(uint32(d.h.Size()))
+	if err != nil {
+		return fmt.Errorf("read digest: %w", err)
+	}
+
+	if !bytes.Equal(actualDigest, computedDigest) {
+		return errors.New("got invalid digest")
+	}
+
+	return nil
+}
+
+// loads the newer PKCS12 format
+func (ks KeyStore) loadPkcs12(r io.Reader, password []byte) error {
+	allData, err := io.ReadAll(r)
+	if err != nil {
+		return err
+	}
+	certs, err := pkcs12.DecodeTrustStore(allData, string(password))
+	if err != nil {
+		return err
+	}
+	for _, cert := range certs {
+		print(cert)
+
+		certificate := Certificate{
+			Type:    "X509",
+			Content: nil,
+		}
+
+		tce := TrustedCertificateEntry{}
+		tce.CreationTime = cert.NotBefore // by meaning the most fitting option, because x509 doesn't have creation time
+		tce.Certificate = certificate
+		alias := fmt.Sprintf("c_%s,o_%s,ou_%s,cn_%s,s_%s",
+			cert.Subject.Country,
+			cert.Subject.Organization,
+			cert.Subject.OrganizationalUnit,
+			cert.Subject.CommonName,
+			cert.Subject.SerialNumber,
+		)
+		ks.m[alias] = tce
+	}
+	return nil
+}
diff --git a/keystore_load_test.go b/keystore_load_test.go
new file mode 100644
index 0000000..b6c55fe
--- /dev/null
+++ b/keystore_load_test.go
@@ -0,0 +1,125 @@
+package keystore
+
+import (
+	"encoding/pem"
+	"github.com/corbym/gocrest/has"
+	"github.com/corbym/gocrest/is"
+	"github.com/corbym/gocrest/then"
+	"os"
+	"reflect"
+	"testing"
+	"time"
+)
+
+func TestLoad(t *testing.T) {
+	password := []byte{'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}
+	defer zeroing(password)
+
+	f, err := os.Open("./testdata/keystore.jks")
+	then.AssertThat(t, err, is.Nil())
+
+	defer func() {
+		err := f.Close()
+		then.AssertThat(t, err, is.Nil())
+	}()
+
+	keyStore := New()
+
+	err = keyStore.Load(f, password)
+	then.AssertThat(t, err, is.Nil())
+
+	actualPKE, err := keyStore.GetPrivateKeyEntry("alias", password)
+	then.AssertThat(t, err, is.Nil())
+
+	expectedCT, err := time.Parse("2006-01-02 15:04:05.999999999 -0700 MST", "2017-09-19 17:41:00.016 +0300 EEST")
+	then.AssertThat(t, err, is.Nil())
+
+	if !actualPKE.CreationTime.Equal(expectedCT) {
+		t.Errorf("unexpected private key entry creation time: '%v' '%v'", actualPKE.CreationTime, expectedCT)
+	}
+
+	if len(actualPKE.CertificateChain) != 0 {
+		t.Errorf("unexpected private key entry certificate chain length: '%d' '%d'", len(actualPKE.CertificateChain), 0)
+	}
+
+	pkPEM, err := os.ReadFile("./testdata/key.pem")
+	then.AssertThat(t, err, is.Nil())
+
+	decodedPK, _ := pem.Decode(pkPEM)
+
+	if !reflect.DeepEqual(actualPKE.PrivateKey, decodedPK.Bytes) {
+		t.Errorf("unexpected private key")
+	}
+}
+
+func TestLoadPkcs12_openjdk(t *testing.T) {
+	password := []byte("")
+
+	f, err := os.Open("./testdata/openjdk_temurin_21_cacerts.p12")
+	then.AssertThat(t, err, is.Nil())
+
+	defer func() {
+		err := f.Close()
+		then.AssertThat(t, err, is.Nil())
+	}()
+
+	keyStore := New()
+	err = keyStore.Load(f, password)
+	then.AssertThat(t, err, is.Nil())
+
+	then.AssertThat(t, keyStore.Aliases(), has.Length(148))
+}
+
+func TestLoadKeyPassword(t *testing.T) {
+	password := []byte{'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}
+	defer zeroing(password)
+
+	keyPassword := []byte{'k', 'e', 'y', 'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}
+	defer zeroing(keyPassword)
+
+	f, err := os.Open("./testdata/keystore_keypass.jks")
+	if err != nil {
+		t.Fatalf("open test data keystore file: %s", err)
+	}
+
+	defer func() {
+		if err := f.Close(); err != nil {
+			t.Fatalf("close test data keystore file: %s", err)
+		}
+	}()
+
+	keyStore := New()
+
+	if err := keyStore.Load(f, password); err != nil {
+		t.Fatalf("decode test data keystore: %s", err)
+	}
+
+	actualPKE, err := keyStore.GetPrivateKeyEntry("alias", keyPassword)
+	if err != nil {
+		t.Fatalf("get private key entry: %s", err)
+	}
+
+	expectedCT, err := time.Parse("2006-01-02 15:04:05.999999999 -0700 MST", "2020-10-26 12:01:38.387 +0200 EET")
+	if err != nil {
+		t.Fatalf("parse creation time: %s", err)
+	}
+
+	if !actualPKE.CreationTime.Equal(expectedCT) {
+		t.Errorf("unexpected private key entry creation time: '%v' '%v'", actualPKE.CreationTime, expectedCT)
+	}
+
+	if len(actualPKE.CertificateChain) != 1 {
+		t.Errorf("unexpected private key entry certificate chain length: '%d' '%d'", len(actualPKE.CertificateChain), 0)
+	}
+
+	pkPEM, err := os.ReadFile("./testdata/key_keypass.pem")
+	if err != nil {
+		t.Fatalf("read expected private key file: %s", err)
+	}
+
+	decodedPK, _ := pem.Decode(pkPEM)
+
+	if !reflect.DeepEqual(actualPKE.PrivateKey, decodedPK.Bytes) {
+		t.Errorf("unexpected private key %v \n %v", actualPKE.PrivateKey, decodedPK.Bytes)
+	}
+}
diff --git a/keystore_test.go b/keystore_test.go
index c773bc3..1b5a726 100644
--- a/keystore_test.go
+++ b/keystore_test.go
@@ -187,111 +187,6 @@ func TestAliases(t *testing.T) {
 	}
 }
 
-func TestLoad(t *testing.T) {
-	password := []byte{'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}
-	defer zeroing(password)
-
-	f, err := os.Open("./testdata/keystore.jks")
-	if err != nil {
-		t.Fatalf("open test data keystore file: %s", err)
-	}
-
-	defer func() {
-		if err := f.Close(); err != nil {
-			t.Fatalf("close test data keystore file: %s", err)
-		}
-	}()
-
-	keyStore := New()
-
-	if err := keyStore.Load(f, password); err != nil {
-		t.Fatalf("decode test data keystore: %s", err)
-	}
-
-	actualPKE, err := keyStore.GetPrivateKeyEntry("alias", password)
-	if err != nil {
-		t.Fatalf("get private key entry: %s", err)
-	}
-
-	expectedCT, err := time.Parse("2006-01-02 15:04:05.999999999 -0700 MST", "2017-09-19 17:41:00.016 +0300 EEST")
-	if err != nil {
-		t.Fatalf("parse creation time: %s", err)
-	}
-
-	if !actualPKE.CreationTime.Equal(expectedCT) {
-		t.Errorf("unexpected private key entry creation time: '%v' '%v'", actualPKE.CreationTime, expectedCT)
-	}
-
-	if len(actualPKE.CertificateChain) != 0 {
-		t.Errorf("unexpected private key entry certificate chain length: '%d' '%d'", len(actualPKE.CertificateChain), 0)
-	}
-
-	pkPEM, err := os.ReadFile("./testdata/key.pem")
-	if err != nil {
-		t.Fatalf("read expected private key file: %s", err)
-	}
-
-	decodedPK, _ := pem.Decode(pkPEM)
-
-	if !reflect.DeepEqual(actualPKE.PrivateKey, decodedPK.Bytes) {
-		t.Errorf("unexpected private key")
-	}
-}
-
-func TestLoadKeyPassword(t *testing.T) {
-	password := []byte{'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}
-	defer zeroing(password)
-
-	keyPassword := []byte{'k', 'e', 'y', 'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}
-	defer zeroing(keyPassword)
-
-	f, err := os.Open("./testdata/keystore_keypass.jks")
-	if err != nil {
-		t.Fatalf("open test data keystore file: %s", err)
-	}
-
-	defer func() {
-		if err := f.Close(); err != nil {
-			t.Fatalf("close test data keystore file: %s", err)
-		}
-	}()
-
-	keyStore := New()
-
-	if err := keyStore.Load(f, password); err != nil {
-		t.Fatalf("decode test data keystore: %s", err)
-	}
-
-	actualPKE, err := keyStore.GetPrivateKeyEntry("alias", keyPassword)
-	if err != nil {
-		t.Fatalf("get private key entry: %s", err)
-	}
-
-	expectedCT, err := time.Parse("2006-01-02 15:04:05.999999999 -0700 MST", "2020-10-26 12:01:38.387 +0200 EET")
-	if err != nil {
-		t.Fatalf("parse creation time: %s", err)
-	}
-
-	if !actualPKE.CreationTime.Equal(expectedCT) {
-		t.Errorf("unexpected private key entry creation time: '%v' '%v'", actualPKE.CreationTime, expectedCT)
-	}
-
-	if len(actualPKE.CertificateChain) != 1 {
-		t.Errorf("unexpected private key entry certificate chain length: '%d' '%d'", len(actualPKE.CertificateChain), 0)
-	}
-
-	pkPEM, err := os.ReadFile("./testdata/key_keypass.pem")
-	if err != nil {
-		t.Fatalf("read expected private key file: %s", err)
-	}
-
-	decodedPK, _ := pem.Decode(pkPEM)
-
-	if !reflect.DeepEqual(actualPKE.PrivateKey, decodedPK.Bytes) {
-		t.Errorf("unexpected private key %v \n %v", actualPKE.PrivateKey, decodedPK.Bytes)
-	}
-}
-
 func readPrivateKey(t *testing.T) []byte {
 	t.Helper()
 
diff --git a/testdata/openjdk_temurin_21_cacerts.p12 b/testdata/openjdk_temurin_21_cacerts.p12
new file mode 100644
index 0000000..563a54e
Binary files /dev/null and b/testdata/openjdk_temurin_21_cacerts.p12 differ